This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Use after free in siftup
Type: crash Stage: needs patch
Components: Extension Modules Versions: Python 3.4, Python 3.5
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: rhettinger Nosy List: Arfrever, christian.heimes, pkt, python-dev, rhettinger, serhiy.storchaka
Priority: normal Keywords:

Created on 2015-05-01 14:12 by pkt, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
poc_siftup.py pkt, 2015-05-01 14:12
Messages (3)
msg242318 - (view) Author: paul (pkt) Date: 2015-05-01 14:12 
# Breakpoint 1, _siftup (heap=0x4056b344, pos=65534) at /home/p/Python-3.4.1/Modules/_heapqmodule.c:121
# warning: Source file is more recent than executable.
# 121         Py_DECREF(PyList_GET_ITEM(heap, pos));
# (gdb) print *heap->ob_item[pos]
# $1 = {_ob_next = 0x41812058, _ob_prev = 0x831159c <refchain>, ob_refcnt = 1, ob_type = 0x4058fd1c}
# (gdb) n
# 122         PyList_SET_ITEM(heap, pos, newitem);
# (gdb) print *heap->ob_item[pos]
# Cannot access memory at address 0x3fff8
# (gdb) print *heap
# $2 = {ob_base = {ob_base = {_ob_next = 0x4059c0b4, _ob_prev = 0x405903b4, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>}, 
#       ob_size = 0}, ob_item = 0x0, allocated = 0}
# (gdb) n
# 
# Program received signal SIGSEGV, Segmentation fault.
# 0x4002f150 in _siftup (heap=0x4056b344, pos=65534) at /home/p/Python-3.4.1/Modules/_heapqmodule.c:122
# 122         PyList_SET_ITEM(heap, pos, newitem);
msg242410 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-05-02 17:07 
New changeset 813854f49f9d by Raymond Hettinger in branch '3.4':
Issues #24099, #24100, and #24101: Fix free-after-use bug in heapq.
https://hg.python.org/cpython/rev/813854f49f9d
msg242415 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-05-02 17:27 
New changeset d356e68de236 by Raymond Hettinger in branch '2.7':
Issues #24099, #24100, and #24101: Fix free-after-use bug in heapq.
https://hg.python.org/cpython/rev/d356e68de236
History
Date User Action Args
2022-04-11 14:58:16adminsetgithub: 68289
2015-05-04 11:22:19rhettingersetstatus: open -> closed
resolution: fixed
2015-05-03 06:52:14Arfreversetnosy: + Arfrever
2015-05-02 17:27:06python-devsetmessages: + msg242415
2015-05-02 17:07:45python-devsetnosy: + python-dev
messages: + msg242410
2015-05-02 04:51:26serhiy.storchakasetnosy: + serhiy.storchaka
2015-05-02 04:10:02rhettingersetassignee: rhettinger

nosy: + rhettinger
2015-05-01 14:14:43christian.heimessetnosy: + christian.heimes
stage: needs patch

components: + Extension Modules
versions: + Python 3.5
2015-05-01 14:12:55pktcreate